Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Routing OpenVPN user traffic over IPSec to Dest network

    Routing and Multi WAN
    3
    3
    1185
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aesellars last edited by

      I have users VPN'ing in using openvpn to a pfsense box at a remote site. That remote site is connected to a production network over ipsec.

      I can't get traffic from the OpenVPN interface over to the ipsec interface. I see icmp packets hitting the openvpn interface heading towards the subnet that's on the other side of the ipsec tunnel, but the packets never show up in the ipsec tunnel capture.

      I'm pushing a route as "route 10.16.8.0 255.255.252.0" which is the destination network on the other side of the ipsec (the prod network side). I have a static route enabled in pfsense for that traffic to go over the wan gateway.

      What am I missing?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        As long as the OpenVPN client has routes, and the IPsec tunnel has a Phase 2 entry that covers the OpenVPN tunnel/client network then it should work OK. Also may need adjustments to IPsec firewall rules on the far side, and to make sure there are no conflicting networks, etc.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          MLIT last edited by

          You also need to add a firewall rule to the IPSEC interface (On both ends) that allows traffic to/from the OpenVPN network.

          Also sharing IP addresses with us means nothing without a network map.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post